The IPv6 (in)security
|
|
- Beverly Morris
- 6 years ago
- Views:
Transcription
1 The IPv6 (in)security Łukasz Bromirski Confidence , Prague, XI
2 Disclaimer The IPv6 should be treated as another protocol there s no inherent security problem in the idea itself, but as usual, many mechanism need to be mastered to be applied securely We will migrate to IPv6 at some point in time, so you ll either spend time now to learn and apply the knowledge in practice, or be forced to learn it very fast later on with obvious drawbacks You re running IPv6 anyway propably today, even if you don t know it 2
3 Agenda The security problems in IPv4 solved in IPv6 Attack environment for IPv6 Protecting the network Management plane Control plane Data plane Other issues and areas of concern Real life implementation info Q&A 3
4 Security problems of IPv4 solved in IPv6 4
5 None All layers above IPv4 are equally insecure as the ones over the IPv6 IPv6 makes some things better, other things worse and some things differently than in IPv4 IPv6 is more complex than IPv4 complexity brings problems in security All vendors leading IPv6 efforts have already published bugs, and they ll publish more Cisco, Juniper, Microsoft, Sun/Oracle and a lot of Open Source software 5
6 IPv6 attack environment 6
7 Nothing changed fundamentally Sniffing IPv6 mandates IPsec capabilities, do you use it end-to-end after finally getting connected? Application-level attacks Even if IPsec is turned on most of the attacks happen in this layer anyway, so did you install a Service Pack today? Rogue devices & MITM attacks Still can and will be executed 7
8 Reconnaissance In IPv6 Subnet Size Difference Default subnets in IPv6 have 2 64 addresses 14.8 Mpps (roughly a 10GE interface) = ~ years This makes scanning blindly inefficient There are interesting studies for real world assignment behaviors for IPv6 addressing* Billion = 52 Trillion Trillion IPv6 addresses per person World s population is approximately 6.5 billion * Malone, D Observations of IPv6 Addresses. Passive and Active Measurement Conference (PAM 2008, LNCS 4979), April
9 Reconnaissance In IPv6 Scanning Methods Are Likely to Change Public servers will still need to be DNS reachable More information collected by Google... Increased deployment/reliance on dynamic DNS More information will be in DNS Using peer-to-peer clients gives IPv6 addresses of peers Administrators may adopt easy-to-remember addresses (::10,::20,::F00D, ::DEAD, ::C5C0 or simply IPv4 last octet for dual stack) By compromising hosts in a network, an attacker can learn new addresses to scan Transition techniques derive IPv6 address from IPv4 address 9
10 Scanning Made Bad for CPU Potential router CPU attacks if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Built-in rate-limiters, or just pushing a separate FPGA to do the job is not an solution, it s just a way to address the problem, not solve the root cause Using a /64 on point-to-point links => a lot of addresses to scan! Using infrastructure ACL prevents this scanning iacl: edge ACL denying packets addressed to your routers Easy with IPv6 because new addressing scheme can be done 10
11 Reconnaissance In IPv6? Easy With Multicast! No need for reconnaissance anymore 3 site-local multicast addresses FF05::2 all-routers, FF05::FB mdnsv6, FF05::1:3 all DHCP servers Several link-local multicast addresses FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP,... Some deprecated (RFC 3879) site-local addresses but still used FEC0:0:0:FFFF::1 DNS server Source Destination Payload Attacker FF05::1:3 DHCP Attack 2001:db8:2:: :db8:1:: :db8:3::
12 Reconnaissance In IPv6? Defense at the edge of own network Organization B Organization A ipv6 access-list NO_RECONNAISSANCE deny any fec0::/10 permit any ff02::/16 permit any ff0e::/16 deny any ff00::/8 permit any any The site-local/anycast addresses must be filtered at the border in order to make them unreachable from the outside ACL block ingress/egress traffic to Block FEC0::/10 (deprecated site-local addresses) Permit mcast to FF02::/16 (link-local scope) Permit mcast to FF0E::/16 (global scope) Block all mcast 12
13 Protecting the management plane 13
14 Management plane Management, provisioning, monitoring with protocols like SSH, FTP, SNMP, Syslog, TACACS+ i RADIUS, DNS, NetFlow, ROMMON, CDP, LLDP, others Peer B Internet Network Ops Center (NOC) Peer A CE CE PE PoP P In-Band Mgmt IP/MPLS Core AS 123 Out-of- Band Mgmt P PoP PE CE CE CE CE CE PE P P PE CE 14
15 Control plane All the protocols that are making the network to work forward packets, establish adjacencies with new routers, etc. protocols like BGP, OSPF, LDP, IS-IS, ARP, Layer 2 keepalives, ATM OAM, PPP LCP, others Peer B Internet Peer A CE CE CE CE PE LDP ISIS PE PoP ibgp LDP ISIS ibgp LDP ISIS P ibgp LDP ISIS IP/MPLS Core AS 123 ibgp LDP ISIS ibgp LDP P ISIS P P ibgp LDP ISIS ibgp PoP LDP ISIS ibgp LDP ISIS PE LDP ISIS PE CE CE CE CE 15
16 Data plane Traffic going from and to customers it s the traffic SP shouldn t touch, but contains all of the protocols customers can use Peer B Internet Peer A CE CE PE PoP P IP/MPLS Core AS 123 P PoP PE CE CE CE CE CE PE P P PE CE 16
17 Management over IPv6 SSH, syslog, SNMP, NetFlow all work over IPv6 Dual-stack management plane More resilient: works even if one IP version is down More exposed: can be attacked over IPv4 and IPv6 Currently under development: RADIUS But, IPv6 RADIUS attributes can be transported over IPv4 As usual, infrastructure ACL is your friend 17
18 Protecting the control plane 18
19 Preventing IPv6 Routing Attacks Protocol Authentication BGP, ISIS, EIGRP no change: An MD5 authentication of the routing update OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPSec RIPng and PIM also rely on IPSec IPv6 routing attack best practices Use traditional authentication mechanisms on BGP and IS-IS Use IPSec to secure protocols such as OSPFv3 and RIPng 19
20 Link-Local vs. Global Addresses Link-Local addresses, fe80::/16, (LLA) are isolated Cannot reach outside of the link Cannot be reached from outside of the link Could be used on the infrastructure interfaces Routing protocols (including BGP) work with LLA Benefit: no remote attack against your infrastructure Implicit infrastructure ACL Note: need to provision loopback for ICMP generation (notably traceroute and PMTUD) LLA can be configured statically (not the EUI-64 default) to avoid changing neighbor statements when changing MAC interface FastEthernet 0/0 ipv6 address fe80::1/16 link-local 20
21 ARP Spoofing is now NDP Spoofing: Threats ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones Stateless Address Autoconfiguration rogue RA (malicious or not) All nodes badly configured DoS Traffic interception (Man In the Middle Attack) Attack tools exist (from THC The Hacker Choice) Parasit6 Fakerouter
22 ARP Spoofing is now NDP Spoofing: Mitigation BAD NEWS: nothing like dynamic ARP inspection for IPv6 Platforms dealing with the traffic in hardware will need to be upgraded meaning either forklift upgrade (whole chassis/rp/lc) or just a firmware update on the FPGAs GOOD NEWS: Secure Neighbor Discovery (RFC 3971) SEND = NDP + crypto Present in Cisco IOS and an open source implementations But not in Windows Vista, 2008, 7... (incompatible with SLAAC privacy extensions enabled by default) Crypto means slower while it may not hit your workstation it will hit many small computers (the case as it was with vendors not implementing WEP and then WPA because it slows down the network ) and needs PKI infrastructure Other GOOD NEWS: Private VLAN works with IPv6 Port security works with IPv6 801.x works with IPv6 Port ACL on IPv6 capable switches For FTTH & other broadband access, DHCP-PD means not need to layer-2 communication between CPE 22
23 Secure Neighbor Discovery (SEND) RFC 3971 Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated RSA signature option Protect all messages relating to neighbor and router discovery Timestamp and nonce options Prevent replay attacks Certification paths for authorized Routers Anchored on trusted parties, expected to certify the authority of the routers on some prefixes 23
24 Protecting the data plane 24
25 DoS Example Ping-Pong over Physical Point-to-Point Same as in IPv4, on real P2P, if not for me send it on the other side... Could produce looping traffic Platforms implementing RFC 4443 (ICMPv6) correctly are not affected here Use /127 on P2P link (see also RFC 3627 and use infrastructure ACL or only link-local addresses R1 2) To 2001:db8::3 3) To 2001:db8::3 R2 Serial 0/0 2001:db8::1/64 Serial 0/0 2001:db8::2/64 4) To 2001:db8::3... 5) To 2001:db8::3 25
26 IPv6 Bogon Filtering and Anti-Spoofing IPv6 nowadays has its bogons: Similar situation as IPv4 => Same technique for single-homed edge= urpf IPv6 Intranet Inter-Networking Device with urpf Enabled X IPv6 Intranet/Internet IPv6 Unallocated Source Address No Route to SrcAddr => Drop 26
27 IPv6 Privacy Extensions (RFC 3041) /23 /32 /48 / Interface ID Temporary addresses for IPv6 host client application, e.g. web browser Inhibit device/user tracking Random 64 bit interface ID, then run Duplicate Address Detection before using it Rate of change based on local policy Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back) 27
28 IPv6 Header Manipulation Unlimited size of header chain (spec-wise) can make filtering difficult Potential DoS with poor IPv6 stack implementations More boundary conditions to exploit Can I overrun buffers with a lot of extension headers? Perfectly Valid IPv6 Packet According to the Sniffer Header Should Only Appear Once Destination Header Which Should Occur at Most Twice Destination Options Header Should Be the Last See also: 28
29 Parsing the Extension Header Chain Finding the layer 4 information is not trivial in IPv6 Skip all known extension header Until either known layer 4 header found => SUCCESS Or unknown extension header/layer 4 header found... => FAILURE IPv6 hdr HopByHop Routing AH TCP data IPv6 hdr HopByHop Routing AH Unknown L4??? IPv6 hdr HopByHop Unk. ExtHdr AH TCP data 29
30 Fragment Header: IPv6 Next Header = 44 Fragment Header IPv6 Basic Header Fragment Header Next Header Fragment Header Reserved Fragment Offset Identification Fragment Data In IPv6 fragmentation is done only by the end system Tunnel end-points are end systems => Fragmentation / re-assembly can happy inside the network Reassembly done by end system like in IPv4 Attackers can still fragment in intermediate system on purpose a great obfuscation tool 30
31 Parsing the Extension Header Chain Fragmentation Matters! Extension headers chain can be so large than it is fragmented! Finding the layer 4 information is not trivial in IPv6 Skip all known extension header Until either known layer 4 header found => SUCCESS Or unknown extension header/layer 4 header found... => FAILURE Or end of extension header => FAILURE IPv6 hdr HopByHop Routing Destination Destination Fragment1 IPv6 hdr HopByHop Fragment2 TCP Data Layer 4 header is in 2 nd fragment 31
32 Type 0 Routing Header One issue: Amplification Attack Beside the well-known dumb firewall by-pass... What if attacker sends a packet with RH containing A -> B -> A -> B -> A -> B -> A -> B -> A... Packet will loop multiple time on the link R1-R2 An amplification attack! A B * As of RFC 5095 (Dec 2007) RH0 is deprecated 32
33 IPsec End-to-End will Save the World? IPv6 mandates the implementation of IPsec IPv6 does not require the use of IPsec Some organizations believe that IPsec should be used to secure all flows... Interesting scalability issue (n 2 issue with IPsec) Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall Network telemetry is blinded: NetFlow of little use Network services hindered: what about QoS? Recommendation: do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets. 33
34 IPv6 Other issues and areas of concern 34
35 IPv6 tools ready to be used Let the Games Begin Sniffers/packet capture Snort TCPdump Sun Solaris snoop COLD Wireshark Analyzer Windump WinPcap Scanners IPv6 security scanner Halfscan6 Nmap Strobe Netcat DoS Tools 6tunneldos 4to6ddos Imps6-tools Packet forgers Scapy6 SendIP Packit Spak6 35
36 Tools of trade THC IPv6 Attack Toolkit parasite6, alive6, fake_router6, redir6, toobig6, detect-new-ip6, dos-new-ip6, fake_mld6, fake_mipv6, fake_advertiser6, smurf6, rsmurf6 Scanners nmap, halfscan6 Packet forgery Scapy6, SendIP, Packit, Spak6 DoS Tools 6tunneldos, 4to6ddos, Imps6-tools 36
37 IPv4 to IPv6 Transition Challenges 16+ methods, possibly in combination Dual stack Consider security for both protocols Cross v4/v6 abuse Resiliency (shared resources) Tunnels Bypass firewalls (protocol 41 or UDP) Can cause asymmetric traffic (hence breaking stateful firewalls) 37
38 Dual Stack Host Considerations Host security on a dual-stack device Applications can be subject to attack on both IPv6 and IPv4 Fate sharing: as secure as the least secure stack... Host security controls should block and inspect traffic from both IP versions Host intrusion prevention, personal firewalls, VPN clients, etc. IPv4 IPsecVPN with No Split Tunneling Dual Stack Client IPv6 HDR IPv6 Exploit Does the IPsec Client Stop an Inbound IPv6 Exploit? 38
39 Dual Stack With Enabled IPv6 by Default Your host: IPv4 is protected by your favorite personal firewall... IPv6 is enabled by default (Vista, Linux, Mac OS/X,...) Your network: Does not run IPv6 Your assumption: I m safe Reality You are not safe Attacker sends Router Advertisements Your host configures silently to IPv6 You are now under IPv6 attack Probably time to think about IPv6 in your network 39
40 Enabling IPv6 on a Remote Host (in this Case Mac OS/X) 1) Dual-Stack 2) Hacker: I m the Router MacOS: any IPv6 Router? 4) The Full IPv6 Address of the MacOS 3) Newly Enabled IPv6 MacOS does DAD 40
41 Transition Threats ISATAP Unauthorized tunnels firewall bypass (protocol 41) IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in the enterprise This has implications on network segmentation and network discovery No authentication in ISATAP rogue routers are possible Windows default to isatap.example.com Ipv6 addresses can be guessed based on IPv4 prefix ISATAP Router Any Host Can Talk to the Router ISATAP Tunnels IPv4 Network ~ Layer 2 for IPv6 Service Direct Communication 41
42 6to4 Relay Security Issues Traffic injection & IPv6 spoofing Prevent spoofing by applying urpf check Drops 6to4 packets whose addresses are built on IPv4 bogons Loopback RFC 1918 Redirection and DoS Block most of the ICMPv6 traffic: No Neighbor Discovery No link-local traffic No redirect Traffic is asymmetric 6to4 client/router -> 6to4 relay -> IPv6 server: client IPv4 routing selects the relay IPv6 server -> 6to4 relay -> 6to4 client/router: server IPv6 routing selects the relay Cannot insert a stateful device (firewall,...) on any path 42
43 TEREDO? Teredo navalis A shipworm drilling holes in boat hulls Teredo Microsoftis IPv6 in IPv4 punching holes in NAT devices Source: United States Geological Survey 43
44 Teredo Tunnels (1/3) Without Teredo: Controls Are In Place All outbound traffic inspected: e.g., P2P is blocked All inbound traffic blocked by firewall IPv6 Internet IPv4 Firewall IPv4 Internet Teredo Relay IPv4 Intranet 44
45 Teredo Tunnels (2/3) No More Outbound Control Teredo threats IPv6 Over UDP (port 3544) Internal users wants to get P2P over IPv6 Configure the Teredo tunnel (already enabled by default!) FW just sees IPv4 UDP traffic (may be on port 53) No more outbound control by FW IPv6 Internet IPv4 Firewall IPv4 Internet Teredo Relay IPv4 Intranet 45
46 Teredo Tunnels (3/3) No More Outbound Control Once Teredo Configured Inbound connections are allowed IPv4 firewall unable to control IPv6 attack can reach the target directly Host security needs IPv6 support now IPv6 Internet IPv4 Firewall IPv4 Internet Teredo Relay IPv4 Intranet 46
47 µtorrrent 1.8 (Released Aug. 08) 47
48 Looping Attack Between 6to4 and ISATAP 1. Spoofed packet S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 6to4 relay IPv4 Packet containing S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 ISATAP router Prefix 2001:db8::/ Root cause Same IPv4 encapsulation (protocol 41) Different ways to embed IPv4 address in the IPv6 address ISATAP router: accepts 6to4 IPv4 packets Can forward the inside IPv6 packet back to 6to4 relay Symmetric looping attack exists 3. IPv6 packet S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 Repeat until Hop Limit == 0 Mitigation: Easy on ISATAP routers: deny packets whose IPv6 is its 6to4 Less easy on 6to4 relay: block all ISATAP-like local address? Good news: not so many open ISATAP routers on the Internet 48
49 6to4/6rd Tunnels Bypass Centralized ACL 6to4/6rd relay IPv6 Internet ACL tunnel IPv4 6to4/6rd router Direct tunneled traffic ignores hub ACL 6to4/6rd router 6rd CPE router can be configured to always go through hub Direct CPE-CPE communication must then be forbidden by IPv4 network 49
50 Notes from a real world 50
51 Summary 51
52 IPv6 (in)security Any network is as secure as You can make it Do not blindly copy IPv4 templates to IPv6 ones use caution and knowledge...most of the work is already done, but needs rethinking when applied to a new protocol Do not fight with IPv6 try to embrace it s capabilities NAT no longer needed, one less step to correlate events/configure the user account Stateless or stateful autoconfiguration, mobility 52
53 IPv6 (in)security If you don t have IPv6-enabled ISP, go to HE or SixxS and get an IPv6 tunnel to start practicing
54 Any questions? 54
55 Thanks! IPv6 (in)security Łukasz Bromirski 55
56 56
IPv6 Security. IPv6 Training Day 18 th September 2012 Philip Smith APNIC
IPv6 Security IPv6 Training Day 18 th September 2012 Philip Smith APNIC 1 Before we begin p Enabling IPv6 on any device means that: The device is accessible by IPv6 Interface filters and firewall rules
More informationIPv6 Security: Threats and Mitigation
IPv6 Security: Threats and Mitigation Eric Vyncke, Distinguished Engineer @evyncke Agenda Debunking IPv6 Myths Shared Issues by IPv4 and IPv6 Specific Issues for IPv6 Extension headers, IPsec everywhere,
More informationIPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering
IPv6 Security Vendor Point of View Eric Vyncke, evyncke@cisco.com Distinguished Engineer Cisco, CTO/Consulting Engineering 1 ARP Spoofing is now NDP Spoofing: Threats ARP is replaced by Neighbor Discovery
More informationIPv6 Security. Rocky Mountain IPv6 Summit. Scott Hogg. GTRI - Director of Advanced Technology Services CCIE #5133, CISSP #4610
Rocky Mountain IPv6 Summit IPv6 Security Scott Hogg GTRI - Director of Advanced Technology Services CCIE #5133, CISSP #4610 1 IPv6 Security We will all migrate to IPv6 eventually, but when and how remain
More informationIPv6 Security Considerations: Future Challenges
IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company LOGO Dept of Computer Sc. & Engg. Indian Institute of Technology Guwahati Agenda Outline Motivation for IPv6 Brief comparision
More informationEric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Eric Vyncke, Distinguished Engineer, evyncke@cisco.com 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Security Myths of IPv6 Security Issues Shared by IPv4 and IPv6 Specific Security
More informationIPv Implementation - The Naked Truth. Dr. Omar Amer Abouabdalla IPv6 Global Sdn. Bhd.
IPv Implementation - The Naked Truth By Dr. Omar Amer Abouabdalla IPv6 Global Sdn. Bhd. omar@ipv6global.my Things to Connect to Internet Why IPv6??? No more room in IPv4 Quite empty in IPv6 IPv6 Implementation
More informationIPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo
IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines Merike Kaeo merike@doubleshotsecurity.com Current IPv6 Deployments Don t break existing IPv4 network Securing IPv6 Can t secure something
More informationIPv6 Security János Mohácsi IPv6 workshop, Skopje June 2011
János Mohácsi IPv6 workshop, Skopje 29-30 June 2011 1 Copy Rights This slide set is the ownership of the 6DEPLOY project via its partners The Powerpoint version of this material may be reused and modified
More informationIPv6 Security. ITU/APNIC/MOIC IPv6 Workshop 19 th 21 st June 2017 Thimphu
IPv6 Security ITU/APNIC/MOIC IPv6 Workshop 19 th 21 st June 2017 Thimphu These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationIPv6 Security awareness
IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 04/12/2015' 1 Presentation Objectives! Create awareness of IPv6 Security implications.! Highlight technical concepts
More informationRemember Extension Headers?
IPv6 Security 1 Remember Extension Headers? IPv6 allows an optional Extension Header in between the IPv6 header and upper layer header Allows adding new features to IPv6 protocol without major re-engineering
More informationInsights on IPv6 Security
Insights on IPv6 Security Bilal Al Sabbagh, MSc, CISSP, CISA, CCSP Senior Information & Network Security Consultant NXme FZ-LLC Information Security Researcher, PhD Candidate Stockholm University bilal@nxme.net
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationIPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery
IPv6- IPv4 Threat Comparison v1.0 Darrin Miller dmiller@cisco.com Sean Convery sean@cisco.com Motivations Discussions around IPv6 security have centered on IPsec Though IPsec is mandatory in IPv6, the
More informationIPv6 Security Threats and #CLEUR BRKSEC Eric Vyncke
IPv6 Security Threats and Mitigations BRKSEC-2003 Eric Vyncke evyncke@cisco.com Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR Agenda Debunking IPv6 Myths Shared Issues
More informationIPv6. Copyright 2017 NTT corp. All Rights Reserved. 1
IPv6 IPv6 NTT IPv6 Copyright 2017 NTT corp. All Rights Reserved. 1 IPv6 IPv4 IPv6 Copyright 2017 NTT corp. All Rights Reserved. 2 IPv4 http://www.potaroo.net/tools/ipv4/ 2018.3.5 Copyright 2017 NTT corp.
More informationIPv6 Security Safe, Secure, and Supported.
IPv6 Security Safe, Secure, and Supported. Andy Davidson Hurricane Electric and LONAP adavidson@he.net Twitter: @andyd MENOG 9 Muscat, Oman, Tuesday 4 th October 2011 Don t Panic! IPv6 is not inherently
More informationRecent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse
Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL 2011 2011 Marc Heuse Hello, my name is Basics Philosophy Vulnerabilities Vendor Responses & Failures Recommendations
More informationRocky Mountain ISSA Chapter April 5, IPv6 Security. Scott Hogg. Director of Advanced Technology Services - GTRI CCIE #5133, CISSP #4610
Rocky Mountain ISSA Chapter April 5, 2007 IPv6 Security Scott Hogg Director of Advanced Technology Services - GTRI CCIE #5133, CISSP #4610 Agenda IPv6 Threats Reconnaissance LAN Threats ICMPv6 Threats
More informationCertified Penetration Testing Consultant
Certified Penetration Testing Consultant Duration: 4 Days Language: English Course Delivery: Classroom COURSE BENEFITS The vendor neutral Certified Penetration Testing Consultant course is designed for
More informationIPv6 Security Course Preview RIPE 76
IPv6 Security Course Preview RIPE 76 Alvaro Vives - Marseille - 14 May 2018 Overview IPv6 Security Myths Basic IPv6 Protocol Security (Extension Headers, Addressing) IPv6 Associated Protocols Security
More informationIPv6 Security Fundamentals
IPv6 Security Fundamentals UK IPv6 Council January 2018 Dr David Holder CEng FIET MIEEE david.holder@erion.co.uk IPv6 Security Fundamentals Common Misconceptions about IPv6 Security IPv6 Threats and Vulnerabilities
More informationControl Plane Protection
Control Plane Protection Preventing accidentally on purpose We really talking about making sure routers do what we expect. Making sure the route decision stays under our control. Layer 2 Attacks ARP injections
More informationInsights on IPv6 Security
Insights on IPv6 Security Bilal Al Sabbagh, MSc, CISSP, CCSP Senior Information & Network Security Consultant - NXme Information Security Researcher Stockholm University 10/9/10 NXme FZ-LLC 1 NIXU Middle
More informationIPv6 Security Threats and Mitigations IPv6 安全威脅與防制
IPv6 Security Threats and Mitigations IPv6 安全威脅與防制 林瑝錦 jerrylin@cisco.com 1 Agenda Should I Care? Shared Issues by IPv4 and IPv6 Specific Issues for IPv6 IPsec everywhere, dual-stack, tunnels and 6VPE
More informationSecurity Considerations for IPv6 Networks. Yannis Nikolopoulos
Security Considerations for IPv6 Networks Yannis Nikolopoulos yanodd@otenet.gr Ημερίδα Ενημέρωσης Χρηστών για την Τεχνολογία IPv6 - Αθήνα, 25 Μαίου 2011 Agenda Introduction Major Features in IPv6 IPv6
More informationIPv6 Technical Challenges
IPv6 Technical Challenges Peter Palúch, CCIE #23527, CCIP University of Zilina, Slovakia Academy Salute, April 15 th 16 th, Bucharest IPv6 technical challenges What challenges do I meet if I decide to
More informationRocky Mountain IPv6 Summit April 9, 2008
Rocky Mountain IPv6 Summit April 9, 2008 IPv6 Security Scott Hogg GTRI - Director of Advanced Technology Services CCIE #5133, CISSP 1 IPv6 Security We will all migrate eventually, but when and how remain
More informationFriday 13 th May :30-12:15
IPv6 Promised Role in Mitigating Cyber Attacks: Really it s Time! Friday 13 th May 2011 11:30-12:15 Alaa AL-Din Al-Radhi IPv6 & Cyber Security: Consultant Engineer, Practitioner, Networker & Trainer IPv6
More informationCisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6
IP6FD v6 Fundamentals, Design, and Deployment v3.0 Cisco IOS IPv6 Cisco IOS IPv6 IPv6 IPv6 service provider IPv6 IP IPv6 IPv6 data link IPv6 Cisco IOS IPv6 IPv6 IPv6 DHCP DNS DHCP DNS IPv6 IPv4 IPv6 multicast
More informationIPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.
IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 Agenda IPv6 Primer IPv6 Protocol Security Dual stack approach
More informationIPv6 IMPLEMENTATION IN VNPT
IPv6 IMPLEMENTATION IN VNPT VŨ XUÂN NHÀN 11/2016 NOC VNPT Net 1 Contents 6PE/6VPE model IPv6 implementation in VNPT Service models IPv6 allocation IPv6 CPE IPv6 security threats Problems 11/29/2016 VNNIC
More informationIPv6 Security Threats and Mitigations
IPv6 Security Threats and Mitigations BRKSEC-2003 Presentation_ID 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Session Objectives! IPv6 vs. to IPv4 from a threat and mitigation perspective!
More informationIPv6 Security. 15 August
IPv6 Security 15 August 2016 0.1 Overview IPv6 Operations and Protocol Issues Scanning IPv6 Networks Toolkits and Example Attacks Best Practices in Securing IPv6 2 IPv6 Operations ü128-bit addresses üuses
More informationSECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann
SECURITY IN AN IPv6 WORLD MYTH & REALITY RIPE 68 Warsaw May 2014 Chris Grundemann WHO AM I? DO Director @ Internet Society CO ISOC Founding Chair RMv6TF Board NANOG PC NANOG-BCOP Chair IPv6 Author (Juniper
More informationCCNA Routing and Switching (NI )
CCNA Routing and Switching (NI400+401) 150 Hours ` Outline The Cisco Certified Network Associate (CCNA) Routing and Switching composite exam (200-125) is a 90-minute, 50 60 question assessment that is
More informationCisco Certified Network Associate ( )
Cisco Certified Network Associate (200-125) Exam Description: The Cisco Certified Network Associate (CCNA) Routing and Switching composite exam (200-125) is a 90-minute, 50 60 question assessment that
More informationSecurity in an IPv6 World Myth & Reality
Security in an IPv6 World Myth & Reality DGI Washington D.C. August 2014 Chris Grundemann MYTH: IPv6 Has Security Designed In MYTH: IPv6 Has Security Designed In IPSEC IS NOT NEW IPsec exists for IPv4
More informationEric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Eric Vyncke, Distinguished Engineer, evyncke@cisco.com 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Security Myths of IPv6 Shared Issues by IPv4 and IPv6 Specific Issues for IPv6
More informationCCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,
CCNA Cisco Certified Network Associate (200-125) Exam DescrIPtion: The Cisco Certified Network Associate (CCNA) Routing and Switching composite exam (200-125) is a 90-minute, 50 60 question assessment
More informationIPv6 Security. Pedro Lorga - WALC 2006 (Quito, Ecuador July 06)
IPv6 Security Pedro Lorga - lorga@fccn.pt 1 Copy Rights This slide set is the ownership of the 6DISS project via its partners The Powerpoint version of this material may be reused and modified only with
More informationIPv6 Security for Broadband Access, Wireless and ISPs
IPv6 Security for Broadband Access, Wireless and ISPs Presented: May 27, 2010 IPv6 Summit By: Scott Hogg Director of Technology Solutions Chair Rocky Mountain IPv6 Task Force CCIE #5133, CISSP #4610 IPv6
More informationResults of a Security Assessment of the Internet Protocol version 6 (IPv6)
Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont DEEPSEC 2011 Conference Vienna, Austria, November 15-18, 2011 About... I have worked in security assessment of communication
More informationImplementing Cisco IP Routing
300-101 Implementing Cisco IP Routing NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 300-101 Exam on Implementing Cisco IP Routing...
More informationIPv6 in Campus Networks
IPv6 in Campus Networks Dave Twinam Manager, Technical Marketing Engineering Internet Systems Business Unit dtwinam@cisco.com Cisco Twinam IPv6 Summit 2003 Cisco Systems, Inc. All rights reserved. 1 IPv6
More informationIPv6 Bootcamp Course (5 Days)
IPv6 Bootcamp Course (5 Days) Course Description: This intermediate - advanced, hands-on course covers pertinent topics needed for IPv6 migration and deployment strategies. IPv6 novices can expect to gain
More informationThe Layer-2 Security Issues and the Mitigation
The Layer-2 Security Issues and the Mitigation Techniques Eric Vyncke Cisco Distinguished Engineer evyncke@cisco.com Eric.Vyncke@ipv6council.be Eric.Vynce@ulg.ac.be 2012 Cisco and/or its affiliates. All
More informationInternet Protocol, Version 6
Outline Protocol, Version 6 () Introduction to Header Format Addressing Model ICMPv6 Neighbor Discovery Transition from to vs. Taken from:chun-chuan Yang Basics: TCP/ Protocol Suite Protocol (IP) Features:
More informationCSCI-1680 Network Layer:
CSCI-1680 Network Layer: Wrapup Rodrigo Fonseca Based partly on lecture notes by Jennifer Rexford, Rob Sherwood, David Mazières, Phil Levis, John JannoA Administrivia Homework 2 is due tomorrow So we can
More informationInternetwork Expert s CCNA Security Bootcamp. Common Security Threats
Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet
More informationTEXTBOOK MAPPING CISCO COMPANION GUIDES
TestOut Routing and Switching Pro - English 6.0.x TEXTBOOK MAPPING CISCO COMPANION GUIDES Modified 2018-08-20 Objective Mapping: Cisco 100-105 ICND1 Objective to LabSim Section # Exam Objective TestOut
More informationUnit 5 - IPv4/ IPv6 Transition Mechanism(8hr) BCT IV/ II Elective - Networking with IPv6
5.1 Tunneling 5.1.1 Automatic Tunneling 5.1.2 Configured Tunneling 5.2 Dual Stack 5.3 Translation 5.4 Migration Strategies for Telcos and ISPs Introduction - Transition - the process or a period of changing
More informationIPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016
IPv6 Security David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016 Outline MORE MATERIAL HERE THAN TIME TO PRESENT & DISCUSS (BUT SLIDES AVAILABLE FOR LATER REFERENCE) IPv6 security & threats
More informationThe Layer-2 Insecurities of IPv6 and the Mitigation Techniques
The Layer-2 Insecurities of IPv6 and the Mitigation Techniques Eric Vyncke Cisco, Consulting Engineering Distinguished Engineer evyncke@cisco.com Eric.Vyncke@ipv6council.be 2012 Cisco and/or its affiliates.
More informationA Border Gateway Protocol 3 (BGP-3) DNS Extensions to Support IP version 6. Path MTU Discovery for IP version 6
IPv6 Standards and RFC 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments RFC 1267 A Border Gateway Protocol 3 (BGP-3) RFC 1305 Network Time Protocol (Version 3) Specification, Implementation
More informationLARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF
LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF MODULE 05 MULTIPROTOCOL LABEL SWITCHING (MPLS) AND LABEL DISTRIBUTION PROTOCOL (LDP) 1 by Xantaro IP Routing In IP networks, each router makes an independent
More information"Charting the Course... IPv6 Bootcamp Course. Course Summary
Course Summary Description This intermediate - advanced, hands-on course covers pertinent topics needed for IPv6 migration and deployment strategies. IPv6 novices can expect to gain a thorough understanding
More informationIPv6 Security Issues and Challenges
IPv6 Security Issues and Challenges Dr. Omar A. Abouabdalla (omar@ipv6global.my) Head Technology Consultant IPv6 Global Sdn Bhd 7 November 2012 IPv6 TO MIGRATE OR NOT TO MIGRATE? It s not an option. Either
More informationCCNP (Routing & Switching and T.SHOOT)
CCNP (Routing & Switching and T.SHOOT) Course Content Module -300-101 ROUTE 1.0 Network Principles 1.1 Identify Cisco Express Forwarding concepts 1.1.a FIB 1.1.b Adjacency table 1.2 Explain general network
More informationConfiguring IPv6 basics
Contents Configuring IPv6 basics 1 IPv6 overview 1 IPv6 features 1 IPv6 addresses 2 IPv6 neighbor discovery protocol 5 IPv6 PMTU discovery 8 IPv6 transition technologies 8 Protocols and standards 9 IPv6
More informationIPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping
The feature bundles several Layer 2 IPv6 first-hop security features, including IPv6 neighbor discovery inspection, IPv6 device tracking, IPv6 address glean, and IPv6 binding table recovery, to provide
More informationVendor: Cisco. Exam Code: Exam Name: Implementing Cisco IP Routing (ROUTE v2.0) Version: Demo
Vendor: Cisco Exam Code: 300-101 Exam Name: Implementing Cisco IP Routing (ROUTE v2.0) Version: Demo DEMO QUESTION 1 Refer to the exhibit. The DHCP client is unable to receive a DHCP address from the DHCP
More informationDiscussions around IPv6 security have centered on IPsec
IPv6 SECURITY SESSION 1 Introduction Discussions around IPv6 security have centered on IPsec Though IPsec is mandatory in IPv6, the same issues with IPsec deployment remain from IPv4: Configuration complexity
More informationTransition To IPv6 October 2011
Transition To IPv6 October 2011 Fred Bovy ccie #3013 fred@fredbovy.com 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 1 1st Generation: The IPv6 Pioneers Tunnels for Experimental testing or Enterprises
More informationIntroduction to IPv6 - II
Introduction to IPv6 - II Building your IPv6 network Alvaro Vives 27 June 2017 Workshop on Open Source Solutions for the IoT Contents IPv6 Protocols and Autoconfiguration - ICMPv6 - Path MTU Discovery
More informationETSF05/ETSF10 Internet Protocols Network Layer Protocols
ETSF05/ETSF10 Internet Protocols Network Layer Protocols 2016 Jens Andersson Agenda Internetworking IPv4/IPv6 Framentation/Reassembly ICMPv4/ICMPv6 IPv4 to IPv6 transition VPN/Ipsec NAT (Network Address
More informationCase Study A Service Provider s Road to IPv6
Case Study A Service Provider s Road to IPv6 September 2010 Menog Amir Tabdili UnisonIP Consulting amir@unisonip.com The Scenario Residential Network L3 MPLS VPN Network Public Network The Scenario What
More informationCCIE Routing & Switching
CCIE Routing & Switching Cisco Certified Internetwork Expert Routing and Switching (CCIE Routing and Switching) certifies the skills required of expert-level network engineers to plan, operate and troubleshoot
More informationQuestion: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.)
Volume: 217 Questions Question: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.) A. the process ID B. the hello interval C. the subnet mask D. authentication E.
More informationAdvanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. IPv6
CYBR 230 Jeff Shafer University of the Pacific IPv6 2 IP Versions Version Description 0-3 Unused: Development versions of IP 4 Current network-layer protocol 5 Unused: Experimental stream protocol ST 6
More informationForeword xxiii Preface xxvii IPv6 Rationale and Features
Contents Foreword Preface xxiii xxvii 1 IPv6 Rationale and Features 1 1.1 Internet Growth 1 1.1.1 IPv4 Addressing 1 1.1.2 IPv4 Address Space Utilization 3 1.1.3 Network Address Translation 5 1.1.4 HTTP
More informationTransitioning to IPv6
Transitioning to IPv6 麟瑞科技區域銷售事業處副處長張晃崚 CCIE #13673 2007 Cisco Systems, Inc. All rights reserved. ICND2 v1.0 7-1 IPv4 and IPv6 Currently, there are approximately 1.3 billion usable IPv4 addresses available.
More informationImplementing Cisco Network Security (IINS) 3.0
Implementing Cisco Network Security (IINS) 3.0 COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationEverything you need to know about IPv6 security I can manage in 30min. IPv6 Day Copenhagen November 2017
Welcome to Everything you need to know about IPv6 security I can manage in 30min IPv6 Day Copenhagen November 2017 Henrik Lund Kramshøj hlk@zencurity.dk Slides are available as PDF, kramshoej@github c
More informationIPv6 Transition Mechanisms
IPv6 Transition Mechanisms Petr Grygárek rek 1 IPv6 and IPv4 Coexistence Expected to co-exist together for many years Some IPv4 devices may exist forever Slow(?) transition of (part of?) networks to IPv6
More informationFundamentals of Network Security v1.1 Scope and Sequence
Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document
More informationExam Topics Cross Reference
Appendix R Exam Topics Cross Reference This appendix lists the exam topics associated with the ICND1 100-105 exam and the CCNA 200-125 exam. Cisco lists the exam topics on its website. Even though changes
More informationTestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified
TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE Modified 2017-07-10 TestOut Routing and Switching Pro Outline- English 6.0.x Videos: 133 (15:42:34) Demonstrations: 78 (7:22:19) Simulations:
More informationAn Operational Perspective on BGP Security. Geoff Huston February 2005
An Operational Perspective on BGP Security Geoff Huston February 2005 Disclaimer This is not a description of the approach taken by any particular service provider in securing their network. It is intended
More informationIPv6 Transition Mechanisms
IPv6 Transition Mechanisms Petr Grygárek rek 1 IPv6 and IPv4 Coexistence Expected to co-exist together for many years Some IPv4 devices may exist forever Slow(?) transition of (part of?) networks to IPv6
More informationRecent Advances in IPv6 Security. Fernando Gont
Recent Advances in IPv6 Security Fernando Gont About... Security researcher and consultant for SI6 Networks Have worked on security assessment on communications protocols for: UK NISCC (National Infrastructure
More informationCustomer IPv6 Delivery
Customer IPv6 Delivery The Nextgen Experience Chris Chaundy, Nextgen Networks October 2011 Agenda Nextgen Network s strategy Just get a prefix and turn it on!?!? Scope of the project Hardware considerations
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationConfiguring IPv6 First-Hop Security
This chapter describes the IPv6 First-Hop Security features. This chapter includes the following sections: Finding Feature Information, on page 1 Introduction to First-Hop Security, on page 1 RA Guard,
More informationNext Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line
Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line Designed to Prevent, Detect, and Block Malicious Attacks on Both IPv4 and IPv6 Networks TM Introduction With the exponential
More informationIPv6. Internet Technologies and Applications
IPv6 Internet Technologies and Applications Contents Summary of IPv6 core features Auto-configuration IPv4-IPv6 transition techniques IPv6 networks today ITS 413 - IPv6 2 Motivation Current version of
More informationIPV6 SIMPLE SECURITY CAPABILITIES.
IPV6 SIMPLE SECURITY CAPABILITIES. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB. ABSTRACT The RFC which this presentation is based upon is focused on
More informationImplementing Cisco IP Routing (ROUTE)
Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide Foundation learning for the ROUTE 642-902 Exam Diane Teare Cisco Press 800 East 96th Street Indianapolis, IN 46240 Implementing Cisco IP
More informationIPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping
The feature bundles several Layer 2 IPv6 first-hop security features, including IPv6 neighbor discovery inspection, IPv6 device tracking, IPv6 address glean, and IPv6 binding table recovery, to provide
More informationSecuring the Transition Mechanisms
Securing the Transition Mechanisms ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok Last updated 30 th January 2016 1 Where did we leave off? p We ve just covered the current strategies
More informationSECURE ROUTER DISCOVERY MECHANISM TO OVERCOME MAN-IN THE MIDDLE ATTACK IN IPV6 NETWORK
1 SECURE ROUTER DISCOVERY MECHANISM TO OVERCOME MAN-IN THE MIDDLE ATTACK IN IPV6 NETWORK Navaneethan C. Arjuman nava@nav6.usm.my National Advanced IPv6 Centre, Universiti Sains Malaysia March 2018 Copyright
More informationRecent advances in IPv6 insecurities Marc van Hauser Heuse CCC Congress 2010, Berlin Marc Heuse
Recent advances in IPv6 insecurities Marc van Hauser Heuse CCC Congress 2010, Berlin 2010 Marc Heuse Hello, my name is Who has already heard my previous talk? played with IPv6? IPv6 at home?
More informationTable of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1
Table of Contents 1 IPv6 Configuration 1-1 IPv6 Overview 1-1 IPv6 Features 1-1 Introduction to IPv6 Address 1-2 Introduction to IPv6 Neighbor Discovery Protocol 1-5 Introduction to ND Snooping 1-7 Introduction
More informationTutorial: IPv6 Technology Overview Part II
Tutorial: IPv6 Technology Overview Part II Speaker: Byju Pularikkal, Cisco Systems, Inc Date: 01/30/2011 1 DOCSIS = Data-Over-Cable Service Interface Specification CMTS = Cable Modem Termination System
More informationENTERPRISE MPLS. Kireeti Kompella
ENTERPRISE MPLS Kireeti Kompella AGENDA The New VLAN Protocol Suite Signaling Labels Hierarchy Signaling Advanced Topics Layer 2 or Layer 3? Resilience and End-to-end Service Restoration Multicast ECMP
More informationOperational Security Capabilities for IP Network Infrastructure
Operational Security Capabilities F. Gont for IP Network Infrastructure G. Gont (opsec) UTN/FRH Internet-Draft September 1, 2008 Intended status: Informational Expires: March 5, 2009 Status of this Memo
More informationRecent Advances in IPv6 Security. Fernando Gont
Recent Advances in IPv6 Security Fernando Gont About... Security researcher and consultant for SI6 Networks Have worked on security assessment on communications protocols for: UK NISCC (National Infrastructure
More informationOn Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August
The requirements for a future all-digital-data distributed network which provides common user service for a wide range of users having different requirements is considered. The use of a standard format
More informationPass4sures. Latest Exam Guide & Learning Materials
Pass4sures http://www.pass4sures.top/ Latest Exam Guide & Learning Materials Exam : 200-125 Title : CCNA Cisco Certified Network Associate CCNA (v3.0) Vendor : Cisco Version : DEMO Get Latest & Valid 200-125
More information